Reslab Activity Log

Docs / Changelog

Changelog

1.4.1 Latest

  • Fixed: successful logins and logouts were logged with the acting user recorded as "Guest" — WordPress fires wp_login/wp_logout before it considers that user "current" for the request, so the log now records the user WordPress itself passes to those hooks instead of relying on get_current_user_id().
  • Fixed: user-deletion events always logged an empty username, because deleted_user fires after the user row is already gone from the database; the log now uses the WP_User object core passes directly to that hook.
  • Fixed: the REST API endpoint (/wp-json/reslab-al/v1/events) triggered a _doing_it_wrong() notice when called with no filters active.
  • Fixed: inconsistent internal whitespace in the log table's schema definition made dbDelta() reissue a full set of ALTER TABLE statements on every version-gated upgrade check, even when nothing had actually changed — harmless but unnecessary, and avoidable table-lock overhead on a large log.
  • Added: reslab_al_default_roles filter — controls which roles are granted the plugin's capabilities on activation/upgrade (previously administrator-only, hardcoded).
  • Changed: the internal schema-upgrade lock now uses an atomic add_option() instead of a get_transient()/set_transient() pair, closing a race window under concurrent requests.

1.4.0

  • Added: Mass Deletion Alerts — a second, independent anomaly check (off by default) that catches one user deleting an unusual number of objects in a short window.
  • Added: optional webhook URL — brute-force and mass-deletion alerts are POSTed as JSON alongside the existing email, for Slack/Discord/Zapier/Make/n8n integrations. New reslab_al_alert_{$type} action hook for custom integrations.
  • Added: "Archive before purge" — optionally save a gzip CSV snapshot of entries before the nightly purge deletes them, downloadable from Settings (nonce + capability gated, not a direct/public URL).
  • Added: read-only REST API (GET /wp-json/reslab-al/v1/events), authenticated via WordPress Application Passwords, for external monitoring/SIEM tools. Supports the same filters as the admin screen.

1.3.0

  • Added: events fired within the same request are now grouped into a single row in the log (with the rest listed in the expandable details) instead of producing several near-duplicate rows for one editorial save.
  • Added: "last ran X ago" status under Data Retention and Brute-Force Alerts in Settings, to confirm those WP-Cron jobs are actually executing.
  • Added: free-text search across event details (product/post titles, usernames, option names, coupon codes, etc.).
  • Added: the reslab_al_viewable_object_types filter is now implemented, letting you restrict which event types a role/user can see in the log and CSV export.
  • Schema change: new request_id column (+ index); migrates automatically via dbDelta() on upgrade, no manual action needed.

1.2.0

  • Fixed: WooCommerce order transitions were logged twice — once correctly as an "order" event, once again as a generic "post" event mislabeled (deleted) (orders under HPOS don't live in wp_posts). The generic tracker now leaves WooCommerce order/refund post types alone entirely; order deletion is tracked separately via woocommerce_delete_order.
  • Fixed: the "order" object link now resolves through wc_get_order()->get_edit_order_url(), which works correctly for both HPOS and legacy post-based orders (the old link pointed at post.php?post=, which 404s under HPOS).
  • Fixed: auto-draft post-status transitions (WordPress reserving a post ID before the editor even opens) no longer create a status_changed_to_auto-draft log entry.
  • Changed: "Anonymize IP addresses" is now enabled by default on new/unconfigured installs, for GDPR compliance out of the box.
  • Changed: brute-force email alerts are now opt-in — a new "Enable brute-force alerts" checkbox (disabled by default) gates the hourly check; the threshold/window settings only take effect once it's turned on.

1.1.0

  • Security: fixed a CSV/Formula injection vector in the "Export CSV" action — fields starting with =, +, - or @ are now neutralised.
  • Renamed the database table from {prefix}activity_log to {prefix}reslab_activity_log to avoid collisions with other logging plugins; existing data is migrated automatically via RENAME TABLE on upgrade.
  • Added a composite index on (action, created_at) to speed up the brute-force detection query on large logs.
  • CSV export now streams results in batches instead of loading the entire (filtered) log into memory.
  • Log purge now caps the number of batches processed per WP-Cron run and reschedules itself to finish large retention-period drops instead of risking a request timeout.
  • Added a dedicated reslab_al_manage_settings capability for the Settings page, replacing the hardcoded manage_options check, for consistency with reslab_al_view_log / reslab_al_clear_log.
  • The table-version check on plugins_loaded no longer re-runs dbDelta() on every front-end request while a mismatch persists; it is now throttled with a short-lived lock.

1.0.0

  • Initial release.
  • Tracks authentication, content, users, plugins, themes, settings, and navigation menus.
  • WooCommerce integration: order status, product meta, coupons, refunds.
  • Polylang integration: language assignments.
  • Brute-force email alert via hourly WP-Cron.
  • CSV export with active filter support.
  • GDPR features: IP anonymisation, configurable retention period, email hashing.
  • Custom capabilities reslab_al_view_log and reslab_al_clear_log.
  • Full uninstall.php for clean removal.